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Abstract. This paper describes a logic of progress for concurrent programs. The logic is 
based on that of UNITY, molded to fit a sequential programming model. Integration of the 
two is achieved by using auxiliary variables in a systematic way that incorporates program 
counters into the program text. The rules for progress in UNITY are then modified to 
suit this new system. This modification is however subtle enough to allow the theory of 
Owicki and Gries to be used without change. 


1. Introduction 


While verifying concurrent programs has been the topic of much research, deriving them 
has not. Even less work has been put into deriving concurrent programs in a way that gives 
equal consideration to both progress and safety requirements (as opposed to derivation that 
is based only on safety requirements). This paper contributes to this goal by defining a 
new logic of safety and progress. The paper does not address methodological questions of 
how to incorporate the logic into a design method for concurrent program derivation, and 
this is left as a subject for further work. The paper confines itself to defining the new logic, 
presenting an example of its use, and describing how the logic compares to other work in 
this area. 

The point of departure for this paper is the theory of Owicki and Gries {00761 Dij82[ 
FvG99{ . a theory of partial correctness only, which means that it can only be used to reason 
about safety requirements. Two reasons recommend this point of departure. The first is 
that this theory is attractively simple. Proofs are carried out in a programming language 
(using the assertional style of Hoare) rather than in some other programming model such 
as a Petri net, IO automaton, or process algebra. We see this as an important advantage 
for program design, where the practicality of model-based reasoning turns, in some large 
part, on the transparency, ease and reliability of the translation of the model into code. 

The second reason for using the theory is that it has already been used as an effective 
method of concurrent program derivation jFvG99| . albeit derivation that is based only on 
safety requirements. The attitude of Feijen and van Gasteren is instructive in this regard, as 
it represents a deliberate decision to eschew the expressiveness of temporal logic in favour of 
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the simplicity of Owicki and Gries. The benefit of doing so is a collection of design heuristics 
that are attractively simple to use and that, as already remarked, have been shown to be 
effective. The cost of the decision is that reasoning about progress requirements becomes 
both informal and post hoc. It is a welcome outcome that so much can be achieved in this 
way, yet it remains true that satisfaction of progress requirements using this approach is 
in an important sense left to chance. The pragmatic attitude of Feijen and van Gasteren, 
together with the limitation of the theory of Owicki and Gries, sets the methodological 
agenda for this paper. That is, the paper describes how to extend the theory of Owicki 
and Gries with a logic of progress that so far as possible, retains the simplicity of the 
original theory while at the same time provides a logic in which to formalise and prove 
progress requirements. This work then is a prolegomenon to our larger goal, which is a 
method of program derivation that assigns equal consideration to both progress and safety 
requirements. 

The step from standard predicate logic to temporal predicate logic represents an order 
of magnitude increase in complexity, which is why Feijen and van Gasteren refused to take 
it. In their words, “powerful formalisms for dealing with progress are available. However, 
the thing that has discouraged us from using them in practice is that they bring about so 
much formal complexity. ... We have decided to investigate how far we can get in designing 
multiprograms without doing formal justice to progress” I FvG99 p79). Other authors, 
while taking the step, fully recognise its significance. For instance, Lamport writes “TLA 
differs from other temporal logics because it is based on the principle that temporal logic 
is a necessary evil that should be avoided as much as possible. Temporal formulas tend 
to be harder to understand than formulas of ordinary first-order logic, and temporal logic 
reasoning is more complicated than ordinary mathematical reasoning” ( jLa.m94j . p917). 
Caution in the face of this added complexity has recommended to us the approach taken in 
UNITY 1CM88} . where assertion ' P leads to Q formalises an important class of progress 
requirements called ‘eventuality’ requirements, and where eventuality assertions are defined 
without using temporal logic. The progress logic of UNITY is ideal for three reasons: the 
rules fully capture the temporal notion of leads-to [GP89j . they thereby support reasoning 
about progress without resort to operational reasoning, and the rules are simple to use 
(relative to comparable program logics such as |Sch97l ILam94l 1. At the same time, we 
resile from the UNITY programming model because it lacks all notion of a control state, 
which makes (what should be simple) conventional sequential programming much harder. 
Fundamental operators such as cannot easily be represented ISdR94l . 

So we have chosen to add the complexity of the logic of UNITY to the theory of 
Owicki and Gries over the complexity of full temporal predicate logic, or, to be more 
precise, to add a logic of progress that, while clearly inspired by UNITY logic, is tailored 
to fit the fundamentally different programming model of multiple sequential programs. In 
adapting the UNITY logic to fit a sequential programming model, a decision on how to 
represent the control state of a sequential program was first to be made. lHH7fil offers a 
partial representation of control through the use of auxiliary variables, while }Sch971 !Lam871 
opt for a fuller representation through the use of control predicates. Our approach is a 
novel use of auxiliary variables to represent program counters, which provides a complete 
representation of the control points in a sequential program. This means that the formal 
complications that are introduced by the use of control predicates in the generalised Hoare 
logic of |Sch97t ILam87| are avoided in our logic, and we are able to retain the predicate 
transformer semantics of Dijkstra. The main contribution of this paper is to combine 
























EXTENDING THE THEORY OF OWICKI AND CRIES WITH A LOGIC OF PROGRESS 


3 


the strengths of these two different theories, Owicki-Gries and UNITY, in order to create 
something new. 

The paper is structured as follows. Section [3 describes the theory of Owicki and Gries 
and provides background to Section |3 which gives the formal basis for the extended logic 
described in Section |3J An application of the new logic to a program design task is also 
given in Section 0 and finally Section 0 makes a conclusion. 

2. The theory of Owicki and Gries 

This section describes the theory of Owicki and Gries l()07fi[fDij82[IFvG99l as presented 
in !FvG99| . Section 12.11 describes the underlying programming language and its operational 
model. Section describes the predicate transformer wlp that underlies the logical model 
of programs and concludes with the core theory of Owicki and Gries. 

2.1. The programming language and its operational model. The programming no¬ 
tation is the language of guarded commands El- 

Definition (Statement). For statements S, S\, S 2 , ■ ■ ■ S n , booleans B\, B 2 , ■ ■ ■, B n , variables 
x\... x m and expressions E\ ... E m . a statement is defined inductively as follows. 

( 1 ) skip is a statement. 

(2) A (multiple) assignment x:= E is a statement where, 

x:= E = x\\= Ei || x 2 := E 2 || ... || x m := E m 
and Xi 7 ^ Xj for i 7 ^ j. 

(3) S\;S 2 is a statement. 

(4) (S) is a statement. 

(5) The following are statements, where each Bi —> Si is called a guarded command with 
guard Bi and command Si. 

(a) if B 1 - S^B -2 - S 2 \\ ... D B n - S n fi 

(b) do B^ S^B-,-* S 2 \\...\\B n -^ S n od ♦ 

The statements IF and DO are defined as representatives of the general notion of an 
if or do statement. 

IF = if B\ —> SiOB 2 -> S 2 fi 
DO = do B -*■ S od 

A sequential program, also called a component, is just a statement. A concurrent program, 
also called a multiprogram, is a collection of components, together with a precondition that 
defines its initial states. In this paper, we will refer to a concurrent program as a program 
and to a sequential program as a component. The values of the variables in a program 
define its current data state. A variable of a component may be local to that component, 
meaning it is not read or written by any other component; private to that component, 
meaning it can be read but not written by any other component; or shared, meaning it can 
be both read and written by any other component. 

A component is executed by executing its atomic actions. An atomic action is an execu¬ 
tion step that results in a single update of the control state of the whole program, i.e., when 
an atomic action is executed, the control state of the component in which the action occurs 
changes once, and the control state of all other components remains the same. Note that 
an atomic action is guaranteed to terminate when it is executed. We adopt a programming 
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model in which an atomic action corresponds to an assignment statement, to a skip state¬ 
ment, to a guard evaluation step in an if or do statement, or to a coarse-grained atomic 
statement. The latter is defined by applying the ‘atomicity operator’ (S) to an arbitrary 
statement S, where the operator eliminates any control points in S so that (S) is executed 
atomically as just described. Note that execution of (S) is only enabled (not blocked) if 
execution of S is guaranteed to terminate. While this creates an impossible difficulty for 
the implementor, since a machine can not, in general, decide whether a statement will ter¬ 
minate, the use of coarse-grained atomic statements in our language allows us to nicely 
capture otherwise informal concepts (see |lGD05j ). iA091| solve this problem syntactically, 
by disallowing S to contain a loop or a synchronisation statement, whereas our approach 
is to make it the responsibility of the programmer to ensure that a coarse-grained atomic 
statement is guaranteed to terminate. 

Condition synchronisation in the model is achieved using the if statement. Execution of 
the guard evaluation action of an if statement is blocked when the guard evaluation action 
is not enabled, which is when all of the guards are evaluated false. A guard evaluation 
action of an if statement is therefore a conditional atomic action because it may not always 
be enabled. A guard evaluation action of a do statement is an unconditional atomic action 
because it is always enabled, as are skip and assignment actions. The programming model 
prescribes weak fairness, so that on termination of an atomic action, an atomic action that 
follows it, if there is one, is eventually executed if it is continually enabled. This means 
that in the concurrent execution of a number of components, the execution of the next 
(continually enabled) atomic action of no component is delayed indefinitely. 

2.2. Hoare triples, the wlp and the core theory of Owicki and Gries. If P and Q 

are any two predicates, and S' is a statement, a Hoare-triple , {P} S {Q} is true iff each 
terminating execution of S that starts in an initial state satisfying P is guaranteed to end 
in a final state satisfying Q. P is called the precondition of S and Q the postcondition. 
A predicate that appears in a Hoare-triple is also called an assertion and programs that 
have such assertions are referred to as being annotated. The annotation of a program also 
defines the program’s initial state with a precondition, which is referred to as Pre. 

Definition (Weakest Liberal Precondition). The weakest liberal precondition (wlp) P3761 
predicate transformer is defined inductively as follows, where P[x:= E] denotes the textual 
substitution of each Ei for free occurrences of Xi in P. 

(1) wlp.skip.P = P 

(2) wlp.(x:= E).P = P[x:= E] 

(3) wlp.(S).P = wlp.S.P 

(4) wlp.(Si] S 2 )-P = wlp.S\.(wlp.S 2 -P) 

(5) wlp. IF. P = (Bi =► wlp.Si.P) A (B 2 =► wlp.S 2 .P ) 

(6) wlp in the case of statement DO need no longer be first order definable |Gum99j . as 
we do not know when (or if) the loop terminates. The wlp of a DO loop is defined 
in terms of a countable sequence of conditionals of the form 

D = if B —> S'Q-'P —> skip fi which gives us: 

OO 

wlp.DO.P = \J wlp.D n .P 

71=1 


♦ 


where D n is the n-fold iteration of statement D. 
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The fundamental relation between Hoare-triples and wlp is that, for any statement S 
and predicates P and Q 1 , 

{P} S {Q} = P^ wlp.S.Q 

In a program design setting it is usually most convenient to present proofs using the 
predicate transformer wlp. However, this is not always the case due to the awkwardness 
of the definition of wlp for statement DO, where it is more convenient to make use of the 
following theorem 

{P} DO {Q} «= ((P A B => wlp.S.P ) A (P A => Q)) 

Any predicate P that satisfies this relation is referred to as a loop invariant, and proving 
correctness of an annotated DO statement amounts to finding a P that satisfies this relation. 

We are now in a position to state the core theory of Owicki and Gries, which defines 
the conditions under which a program annotation is correct. 

Rule (Local Correctness). An assertion P in a component is locally correct (LC) when, 

(1) if P is textually preceded by program precondition Pre, then Pre => P 

(2) if P is textually preceded by {Q} S, then {Q} S {P} holds, i.e., Q wlp.S.P. 

» 

Rule (Global Correctness). An assertion P in a component is globally correct (GC) if for 
each {Q} S from a different component, {P A Q} S {P} holds, i.e., P A Q =>• wlp.S.P. ■ 

An assertion is correct if it is both locally and globally correct. An annotation is correct 
if all assertions are correct. 

Rule (Postcondition). A predicate P is a valid postcondition of a program if the conjunction 
of the correct postconditions of the components implies P. ■ 

It is useful at this point to introduce a simple example of how the theory can be used 
to prove a safety requirement which will serve to make the foregoing discussion concrete. 
Consider this program of two components X and Y 


Program (1) 


Pre: x = 0 


Component X: 

Component Y: 

x:= x + 1 

x:= x + 2 


Safety: Program (1) has terminated =>• x = 3 
Program (1) satisfies Safety. 


Proof. X and Y are annotated locally correct (LC) and note that both satisfy part (1) of 
the LC rule 


Program (1) 

Pre: x = 0 

Component X: 

Component Y: 

{x = 0 } 

{x = 0 } 

x:= x + 1 

x:= x + 2 

{x = 1 } 

{x = 2 } 


4t is common to relate Hoare-triples to the total correctness predicate transformer wp, however, this is 
ill-suited to a programming paradigm in which termination is not always desired. 
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Global correctness (GC) of the annotation is now arranged by weakening all four assertions, 
noting that this maintains LC. 


Program (1) 

Pre: x = 0 

Component X: 

Component Y : 

P: {x = 0 V x = 2} 

{x = 0 V x = 1} 

x:= x + 1 

x:= x + 2 

Q: {x = 1 V x = 3} 

{x = 2 V x = 3} 


The GC of the assertions P and Q in X are calculated: 


wlp.(x:= x + 2).P 
= {Substituting the value of P} 
wlp.(x:= x + 2).(x = 0 V x = 2) 
<= {By definition of wlp} 
x = 0 

= {By logic} 

(x = 0Vx = 2)A(x = 0Vx = l) 


wlp.(x:= x + 2). Q 
= {Substituting the value of Q} 
wlp.(x:= x + 2).(x = 1 V x = 3) 
<= {By definition of wlp} 
x = 1 

= {By logic} 

(x = lVx = 3)A(x = 0Vx = l) 


Finally, the conjunction of the two final assertions of X and B establishes the desired safety 
requirement 

(x = lVx = 3)A(x = 2Vx = 3) = x = 3 □ 

The simplicity of the core theory is reflected in its limited power. The lack of a means 
to reason about a program’s control state means that safety requirements that are clearly 
met may not be provable, such as in the following program. 


Program (2) 


Pre\ x = 0 


Component X: 

Component Y: 

x:= x + 1 

x:= x + 1 

Safety: Program (2) has terminatec 

=>• x = 2 


It is an interesting exercise to convince yourself that this safety requirement is not 
provable in the core theory. The solution in (OGVOl is to add auxiliary information into a 
program which could be used in its correctness proof. We start by defining an auxiliary 
assignment, which is an assignment to a fresh variable, different from all program variables, 
called an auxiliary variable. The assignment may only appear as part of an atomic action, 
hence, does not introduce any new control points. We require that actions remain well- 
formed when all auxiliary assignments are removed. Furthermore, as addition of auxiliary 
information should not affect control and data states of the original program, auxiliary 
variables may not appear in any guard and assigned to a non-auxiliary variable. 

Returning to the example of Program (2), we augment the program with auxiliary 
assignments to fresh variables pc.A and pc.B to give us the following program. 
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Program (3) 


Pre: x = pc.X = pc.Y = 0 


Component X: 

Component Y: 

x:= x + 1 pc.X:= 1 

x:= x + 1 | pc.Y := 1 

Safety: Program (3) has terminated 

=> x = 2 


Program (3) satisfies Safety. 

Proof. This is now much as for Program (1). The two components can be annotated for LC 


Program (3) 

Pre: x = pc.X = pc.Y = 0 

Component X: 

Component Y: 

{x = 0 }{pc.X = 0} 

{x = 0 }{pc.Y = 0} 

x:= x + 1 | pc.X:= 1 

x:= x + 1 | pc.Y:= 1 

{x = l}{pc.X = 1} 

{x = l}{pc.Y = 1} 


GC is arranged by a combination of strengthening and weakening these assertions as follows: 


Program (3) 

Pre: x = pc.X = pc.Y = 0 

Component X: 

Component Y: 

P: {(x = 0 A pc.Y = 0) V (x = 1 A pc.Y =1)} 

{(x = 0 A pc.X = 0) V (x = 1 A pc.X = 1)} 

{pc.X = 0} 

{pc.Y = 0} 

x:= x + 1 pc.X:= 1 

x:= x + 1 || pc.Y:= 1 

Q: {{x = 1 A pc.Y = 0) V {x = 2 A pc.Y =1)} 

{{x = 1 A pc.X = 0) V (x = 2 A pc.X = 1)} 

{pc.X = 1} 

{pc.Y =1} 


As before, the GC of P and Q in X are calculated: 

wlp.(x:= x + 1 || pc.Y:= l).(((x = 0 A pc.Y = 0) V (x = 1 A pc.Y = 1)) A pc.X = 0) 

= {By definition of wlp} 
x = 0 A pc.X = 0 
«= {By logic} 

((x = 0 A pc.Y = 0) V (x = 1 A pc.Y = 1)) A pc.X = 0 A pc.Y = 0 

wlp.(x:= x + 1 || pc.Y:= l).(((x = 1 A pc.Y = 0) V (x = 2 A pc.Y = 1)) A pc.X = 1) 

= {By definition of wlp} 
x = 1 A pc.X = 1 
«= {By logic} 

((x = 1 A pc.Y = 0) V (x = 2 A pc.Y = 1)) A pc.X = 1 A pc.Y = 0 

Finally, the conjunction of the two final assertions of A and B establishes the desired safety 
requirement. 

((x = 1 A pc.Y = 0) V (x = 2 A pc.Y = 1)) A pc.Y = 1 => x = 2 □ 

Noting that Program (3) is just Program (2) with auxiliary assignments to pc.A and 
pc.B superimposed on it, we are entitled to conclude that Program (2) satisfies the same 
safety requirement, because the two programs are equivalent in having the same data and 
control states. 
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3. The extended theory of Owicki and Gries 

It is fairly clear, so far as reasoning about progress is concerned, that the theory of 
Owicki and Gries is deficient because it lacks a systematic means to describe a program’s 
control state. Any extension to the theory must therefore provide for this, and the extension 
to be described in this section has two parts. First, control points in a component are 
named by naming the atomic action to be executed at the corresponding point. This is 
done by labelling all of the atomic actions in the component. Second, an auxiliary variable 
is introduced into each component in a way that models its ‘program counter’, i.e., the value 
of this variable indicates the active control point in the component, which is just the label 
of the atomic action that corresponds to that control point. 

Sections rm and IQ introduces the twin notions of a labelled program and a program 
counter while Section r3.3l reviews the reasons why program counters were chosen over control 
predicates as the formalisation of program control states. 

3.1. Labelled statements. The first step toward describing an active control point in a 
statement requires being able to refer to the next atomic action to be executed. We do 
this by assigning a unique label to each atomic action that occurs in the statement. The 
label of a statement’s initial atomic action will be called the initial label of that statement. 
In addition, a label will be assigned to the end of the statement which will be called the 
final label of the statement. A final label of a statement will always label the initial atomic 
action of a statement that follows it. However, if there is no following statement, then the 
final label does not refer to any atomic action, but simply marks the end of the statement. 

Definition (Labelled Statement). 

(1) A labelled skip statement has the form i: skip j: where i is the initial label and j is 
the final label. 

(2) A labelled assignment statement has the form i:x:= E j: where i is the initial label 
and j is the final label. 

(3) A labelled sequential statement has the form i: S \ ; j: S2 k: where i is the initial label 
of statement Si, j is the final label of Si, j is the initial label of statement S 2 and 
k is the final label of S 2 . 

(4) A labelled coarse-grained atomic statement (S) has the form i: (S) j: where i is the 
initial label and j is the final label, and statement S is not labelled. 

(5) A labelled statement IF has the form 

i: if T?i —>- j:Si\\E> 2 —* k: S2 fi l: 

where i is the initial label of IF and l is the final label of IF, i is the label of the 

initial atomic action of IF, which is the guard evaluation action, and j and k are 

the final labels of the guard evaluation action, j is the initial label of statement Si, 
k is the initial label of statement S 2 and l is the final label of both Si and S 2 . 

( 6 ) A labelled statement DO has the form 

i: do B —* j: S od k: 

where i is the initial label of DO and k is the final label of DO, i is the label of the 

initial atomic action of DO, which is the guard evaluation action, and j and k are 

final labels of the guard evaluation action, j is the initial label of statement S and 
i is the final label of S. 

(7) If i and j are the initial labels for different actions of any statement, then i 7 ^ j. ♦ 
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In what follows A.i will be used to denote ‘the atomic action in component A labelled 
V whenever i is not the final label of component A. 

3.2. Modelling program counters. There are essentially two ways of using this addi¬ 
tional information that labelled statements provide. One way is to introduce into the logic 
new control predicates to express propositions such as, for instance, that ‘control in com¬ 
ponent A is at the atomic action labelled V. This kind of approach is taken in ( ISch97l . 
pp96-108, ppl36-140) and in ( ILam87| h but the cost is that the familiar axioms of Hoare 
logic, as presented in Section E£21 must be given up in favour of generalised axioms that take 
account of the fact that, say, {P} i: skip j: {P} is no longer true for all P (for example, 
when P asserts that ‘control is at label i’). A further cost is that new axioms must be 
introduced to capture the intended interpretation of the new control predicates. The desire 
to make only conservative extension to the theory of Owicki and Gries, prompted by the 
desire to retain old, familiar and trusted ways (the wlp), has led us to resist this approach 
in favour of the use of auxiliary variables to reason about the control state. In our method, 
{P} i'.skip j: {P} is also not an axiom. However, we do avoid the extra axioms on the 
control state required by control predicates, and are able to retain the wlp as the main tool 
for proving predicates. 

Consequently, we formalise a program’s control state in the following way. An auxiliary 
variable is introduced into each component in a way that models its ‘program counter’, i.e., 
the value of this variable indicates the active control point in the component, which is just 
the label of the next atomic action to be executed, or the end of the component if no such 
action exists. Given a component A, this variable pc.A will be called the program counter 
of A, and its essence is to record the control state of A, but in so doing to change neither 
the program’s control state nor its data state. Given this essence, program counter pc.A 
must be updated at every atomic action in A in a way that assigns pc. A a final label of that 
action. This is done by superimposing an auxiliary assignment to pc.A onto every atomic 
action in A in the following way. 

Definition (Program Counter). Given a program with precondition Pre and labelled com¬ 
ponent A, variable pc.A is the program counter of A when 

(1) pc. A is a local variable of A. 

(2) If i is the initial label of A then Pre =>■ pc.A = i 

(3) A labelled skip statement has the form i: (skip',pc.A:= j) j: . 

(4) A labelled assignment statement has the form i:x:= E || pc.A:= j j: . 

(5) A labelled coarse-grained atomic statement has the form i: ( S;pc.A:= j) j: . 

(6) A labelled statement IF has the form 

► pc.A:= j) j: Si\\(B 2 —* pc.A:= k) k: S 2 fi l. 

(7) A labelled statement DO has the form 

i: do (B —> pc.A:= j) j: S \\ (-iB —> pc.A:= k) od k: 

Given that guard evaluation is an atomic action (as it changes the program control 
state whenever a guard is evaluated true), and given that a program counter must be 
updated at every atomic action in a component, we are required to extend the grammar 
of statements IF and DO in order to make explicit the state change that can accompany 
a guard evaluation. To this end we modify the syntax of guarded command B j:S to 
(. B —> pc.A:= j) j: S so that the transfer of program control from the guard evaluation to 
the initial action of S when guard B evaluates true is made explicit. Note how atomicity 
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brackets ( ) are used to indicate that the update of the program counter is part of the 
guard evaluation. However, we acknowledge that this grammar is awkward, because it is 
semantically misleading whenever a statement consists of several alternatives. For example, 
in statement 

if {B\ —► pc.A:= j) j: S\ [] (£>2 —► pc.A:= k) k: S2 fi l: 
the two pairs of atomicity brackets suggest two atomic guard evaluations, which is not the 
case, rather there is one atomic guard evaluation labelled by i, which has three outcomes, 
the first where guard B\ is evaluated to true and control passes to the initial action of S\ 
labelled by j , the second where guard £>2 is evaluated to true and control passes to the 
initial action of S2 labelled by k, and the third where both guards B\ and £>2 are evaluated 
to false and control remains at the guard evaluation action labelled by i. 

The case of statement DO 

i: do B —y j: S od k: 

is further complicated by the fact that the loop is not a blocking statement, which is to 
say that when guard B is evaluated false control does not remain at the guard evaluation 
labelled by i, but rather it passes to the control point labelled by k. This transfer of 
control requires an explicit update to the program counter, which we have accommodated 
by changing the grammar of the DO statement in a way that makes this outcome of the 
guard evaluation explicit 

i: do B —* j: S \\^B —> od k: 

The DO statement now admits a guarded command -1 B —> with an empty command, which, 
if selected, has the total effect on the program state of passing control to the control point 
labelled by k. The operational semantics of this syntactically modified DO statement is 
unchanged, with the sole purpose of the modification being to introduce a peg on which to 
hang the assignment pc.A:= k. 

Finally, note that we are free to interpret predicate pc.A = i to mean that ‘control in 
A is at A.i' because pc. A = i is a correct precondition of A.i and because labels are unique. 
LC follows from the definition of pc. A, and GC follows from the same, on account of pc. A 
being a local variable of A. 

3.3. Program counters vs. control predicates. Recalling that the reason for choosing 
program counters over control predicates has been driven by a desire to make only con¬ 
servative changes to the theory of Owicki and Gries, we can view this choice as one of 
a superficial (i.e., syntactic) change to guarded commands in order to make explicit the 
way that a guard evaluation can change the control state, over a significant (i.e., semantic) 
change to the program logic. The chief practical gains are that we are able to retain the 
semantics of uilp as the logical basis of the programming model and that the absence of 
primitive control predicates means that we do not need to introduce additional logical rules 
to define them. The core theory of Owicki and Gries as described in Section 12.21 therefore 
remains the same under the changes described in Sections 13.1 1 and lT2l and the definition of 
the wlp predicate transformer is extended to a labelled statement with program counter pc 
as follows 

( 1 ) wlp.(i: (skip;pc:= j) j: ).P = wlp.(pc:= j).P 

( 2 ) wlp.(i: (x:= E || pc:= j ) j: ).P = P[x:= E || pc:= j] 

(3) wlp.(i: {S;pc:= j) j: ).P = wlp.(S;pc:= j).P 
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(4) wlp.ii: S±-,j: S 2 k:).P = wlp.ii: S\ j: ).(wlp.(j: S 2 k:).P) 

(5) wlp.(i: if {B 1 -f pc:= j) j:S 1 \\(B 2 -*■ pc:= k) k: S 2 fi 1: ).P 

(Pi => wlp.(pc:= j).(wlp.(j: Si l: ).P)) A (. B 2 =>- wlp.{pc:= k).(wlp.(k: S 2 l: ).P)) 

(6) {P} v. do (B —* pc:= j) j: S [] (->B —> pc:= k) od k: {Q} 

(P A B =r wlp.(pc:= j).(wlp.(j: S i: ).P)) A (P A ->B =4> wlp.(pc:= k).Q) 

It is noteworthy that typical axioms ILam87l IAS89| that are required to define the 
meaning of a control predicate now become easy derived rules of the program counters 
model. 

(1) Each component has at most one active control point. This is trivial on account of 
(Vi, j : j 7 ^ i: pc.A = i => pc.A 7 ^ j) and the uniqueness of labels. 

(2) Each component has at least one active control point. This holds on account of the 
invariance of (3* :: pc.A = i). 

(3) Execution of an atomic statement in component a different from A does not change 
the active control point in component A. This is trivial on account of ATs program 
counter being a local variable of A. 

Against the advantages of using program counters, the chief drawback is the syntactic 
complexity that the program counter assignments add to the program under consideration. 
However, this added complexity is nicely avoided in practice by making the assignments 
implicit in the program. In effect, this amounts to redefining the wlp for a labelled statement 
with implicit program counter pc as follows 

(1) wlp.{i : skip j\ ).P = wlp.(pc:= j).P 

(2) wlp.(i:x:= E j: ).P = P[x:= E || pc:= j } 

(3) wlp.(i: (S ) j: ).P = wlp.(S]pc:= j).P 

(4) wlp.ii: Sp, j: S 2 k:).P = wlp.(i: Si j:).(wlp.(j: S 2 k:).P) 

(5) wlp.(i: if Bi —> j: S±]\B 2 —> k: S 2 fi l:).P 

{Bi => wlp.(pc:= j).(wlp.{j: Si l: ).P)) A (B 2 => wlp.(pc:= k).{wlp.{k: S 2 l: )-P)) 

( 6 ) {P} hdo B —> j: S od k: {Q} 

<= 

(PA54 wlp.{pc:= j).(wlp.{j: S i).P )) A (P A - 1 B wlp.(pc:= k).Q) 

and this is what we do. 

4. A LOGIC OF PROGRESS FOR THE EXTENDED THEORY 

As we now have the means to reason about the control state of a program, we are now 
in a position to extend the theory to support reasoning about progress requirements. The 
rules for progress in the extended theory are described in Section l~j~Tl Section FOl describes 
an application of the new logic to a program design task, which compares favourably to the 
treatment in f |FvG99| . pp2 07-212) and Section FOl describes a second application of the 
logic, this time to the proof of correctness of a program transformation. 
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4.1. Rules of progress. As already remarked in Section |T| the logic to be presented is 
almost just that of UNITY f |CM88| . pp47-74), where the notion of progress is formalised 
using the relation leads-to (denoted ~>), where, for any predicates P and Q, P Q holds 
if it is always the case that in a program state in which P holds, execution of the program 
is such that a program state will eventually be reached in which Q holds. In temporal logic 
)MP92| terms, P Q = □ (P =>■ ()Q) where □ and 0 are the ‘always’ and ‘eventually’ 
operators respectively. In order to axiomatize this relation, we begin by defining the notion 
of unless (un). 

Definition (Unless). If P and Q are any two predicates, P un Q holds if 

{P A -iQ AU} S {PVQ} 

holds for all atomic statements {U} S, where U denotes the precondition of S in the 
annotated program. ♦ 

Relation unless says that a program state in which P holds and Q does not, is per¬ 
petuated until a state is reached in which Q holds. But note that this does not guarantee 
that Q will ever hold, for (an extreme) example, true un Q holds for all Q, including false. 
To formalise progress properties we also need a notion of what it means for a statement to 
establish a predicate given that it is not yet true. In f |CM88| . pp50-52) this is formalised 
by the relation ensures, which forms the basis of the definition of leads-to. In our setting, 
and purely for presentational reasons, we have chosen not to define ensures, but rather to 
define the basic part of leads-to directly in terms of the several forms of atomic action in 
the programming language. More substantially, the basic part of our definition of leads-to, 
which is the point at which the relation is bound to the program under consideration, is the 
only point at which the two definitions of leads-to differ, the inductive part of our definition 
being identical to that in ( [HM88| . p52). However, this difference in the basic definition of 
leads-to is an essential difference, on account of the fundamentally different programming 
model that is used here and in UNITY. Our programs consist of a number of concurrently 
executing sequential components, each of which is constructed using the guarded command 
language PI761 , whereas a UNITY program is a single non-terminating loop of guarded 
assignments. 

We remind ourselves that for the basic part of the definition of leads-to, the atomic 
actions are skip, assignment, guard evaluation and coarse-grained atomic statements of the 
form (S) for arbitrary statement S. A judgment P Q arrived at using this rule ensures 
that if a program state is reached in which P holds, execution of the program is such that P 
will continue to hold until a program state is reached in which Q holds, and, further, a state 
in which Q holds will be reached. We will call this the ‘immediate progress’ rule because 
it allows us to actually exhibit an atomic action that is guaranteed to bring Q about. Our 
convention is that operator -w binds weaker than any logical operator. Hence, for example, 
(P => Q) R = P => Q R. 

Rule (Immediate Progress). P Q holds if P un Q holds, and there exists a labelled 
statement with initial label i in a component with program counter pc and 

(1) P A -iQ => pc = i 

(2) (a) the statement is a skip or an assignment statement i: S j: and, 

PA-iQ =4> wlp.(i: S j:).Q. 

(b) the statement is a coarse-grained atomic statement i: (S) j: and, 

P A^Q =3- wp.S.(Q\pc:= j}) 
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(c) the statement is an IF statement i: if B\ —> j: S±\\B 2 —> k: S 2 fi l: and, 

(i) P A —iQ =$• B\ V B 2 

(ii) (P A ->Q A Bi =A Q\pc:= j])) A (P A ->Q AB 2 A Q\pc:= A:]). 

(d) the statement is a DO statement hdo B —> j: S od k: and, 

(PA - <QAB =>• Q\pc:= j]) A (PA - <QA~<B =4> Q\pc:= k]). M 

To make sense of this rule we provide these interpretative notes. P Q is here justified 
on the basis of being able to actually exhibit a continually enabled atomic action at an active 
control point that makes Q true when it is executed. To see how the rule formalises this, 
we first note that P A - 1 Q is assumed. As P un Q must hold, we can be assured that P 
remains true as long as —>Q is true. Clause 1 establishes that control is at an atomic action 
labelled i in a component. Clause 2 establishes that this action is enabled when P A —>Q 
is true, and that its execution makes Q true. It follows from clause 1 that the action is 
continually enabled as long as —>Q is true and as we are assuming weak fairness, that the 
action is eventually executed. Clause 2 is separated into three cases to cover the three kinds 
of atomic actions: execution of an atomic statement; guard evaluation to an if statement; 
and guard evaluation to a do statement. In case (2a), an assignment action is always 
enabled and it is enough to ensure that its execution makes Q true. In case (2b), a guard 
evaluation action in an if statement is not always enabled and so clause (2bi) ensures that 
it is enabled when P A —>Q is true. Clause (2bii) further ensures that its execution makes 
Q true. In case (2c), a guard evaluation action in a do statement is always enabled and it 
is again enough to ensure that its execution makes Q true. 

The inductive part of the definition of leads-to is given by 

Rule (Inductive Progress). 

(Transitivity) (P R) -4= (P Q) A (Q R) 

(Disjunction) For any set W, ((3i :i G W: P.i ) Q) <= (Mi :i € W: P.i Q) 

■ 

The rule of transitivity requires no explanation. The rule of disjunction, in its finite 
application of, say, two progress assertions, amounts to the inference that if P.0 Q and 
PI Q then P.0 V PI Q. Via a finite number of applications of the immediate and 
inductive progress rules, we are now able to prove any eventuality property that can be 
proved using leads-to. The ‘next’ temporal operator is missing from our logic, just as it 
was missing from UNITY. However, this is not a big problem in concurrent environments 
as reasoning about ‘next’ seldom makes sense to the inherent non-determinacy. 

[CM88I also present a thorough treatment of a collection of derived rules for leads-to, 
all of which remain true in our setting, and which are listed below. The proofs of these 
derived rules are presented in Appendix A. 

Rule (Derived Progress Rules). 

(1) (Implication Theorem) P -w Q 4 = (P =>• Q) 

(2) (Impossibility Theorem) - 1 P -4= (P -w false ) 

(3) (Disjunction Theorem) 

((3m : m G W: P.m ) (3m : m € W: Q.m )) <= (Vm : m € W: P.m Q.m ) 

(4) (Cancellation Theorem) 

(P^QVP) <= (PQ V P>) A (P> P) 

(5) (PSP (Progress-Safety-Progress) Theorem) 

(P A R (Q A R) V D) •«= (P^Q)A(HunD) 
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( 6 ) (Induction Theorem) Let M be a total function from program states to set W. Let 
(W, -<) be well-founded. Variable m in the following premiss ranges over W and 
predicates P and Q do not contain free occurrences of variable m. Then, 

(P Q ) 4= (Vm :: PAM = m (P A M -< 777.) V Q) 

(7) (Completion Theorem) Let P.i and Q.i be predicates where i ranges over a finite 
set. Then, 

((Vi:: P.i) (Vi:: Q.i)VD) <= (Vi:: (P.i Q.iVD)A(Q.i un D)) U 

The remainder of this section gives two examples of how the new logic can be used. 
The first presents an application of the logic to a program design task, which compares 
favourably to the treatment in ( |FvG991 . pp207-212), and the second presents a proof of 
correctness of a program transformation called the “guard conjunction lemma”, which is 
taken from the same source ( 4FvG99] , ppll8-120). 

4.2. The initialisation protocol. The first example is taken from jFvG991 where it ap¬ 
pears as both an exercise in verification (p84) and as an exercise in design (p207). Here we 
present an alternative design that starts with the following program 


The Initialisation Protocol 

Pre: true 

Component X: 

Component Y: 

Init.X; 

Init.Y ; 

y:= false ; 

x:= false; 

(if y —*• skip fi); 

(if x —► skip fi); 

S.X 

S.Y 


Progress: There is no individual deadlock 


The safety requirement of the initialisation protocol is omitted from the specification on 
account of this program already satisfying it, the requirement being that X cannot begin 
execution of code S.X until Y has completed execution of code Init.Y, and vice versa. 
This requirement is maintained provided that only assignment y:= true in Y is allowed, 
and this only after Init.Y, which is nicely ensured by restricting attention to the protocol 
code below: 


The Initialisation Protocol - simplified and labelled 

Pre: pc.X = pc.Y = 1 

Component X: 

Component Y: 

1 : y:= false; 

1 : x:= false; 

2: (if y —> skip fi) 

2: (if x —> skip fi) 

3: 

3: 


Progress: pc.X = 2 pc.X = 3 
Topology: Only y:= true is allowed in Y 


Progress is proved as follows: 
pc.X = 2 

{By case analysis on the guard of X.2} 

(pc.X = 2 A y) V ( pc.X = 2 A -> y) 

{Immediate progress rule with X.2, y is GC in X} 
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pc.A = 3 V (pc.X = 2 A -i y) 

As this is our first encounter with the immediate progress rule, let us elaborate the last step 
of the proof. We have: 

( pc.X = 2 A y) V ( pc.X = 2 A -<y) -w pc.X = 3 V ( pc.X = 2 A -<y) (4-1) 

This means we have the following instantiations: 

P = ( pc.X = 2 A y) V ( pc.X = 2 A -i y) 

Q = pc.X = 3 V ( pc.X = 2 A -iy). 

We first show that P un Q holds. 

Against X.l we have: 

PA^Q ^ wlp.(X.l).(PV Q) 

= {Substituting value of X.l and by wlp} 

P A -iQ (P\/Q)[y:= false, pc.X := 2] 

= {By substitution} 

P A -■ Q =>• true 
= {By logic} 
true 


Against X.2 we have: 

PA^Q ^ wlp.(X.2).(P VQ) 

= {Substituting value of X.2 and by wlp} 
P A —>Q A y =>• (P 5 V Q)\pc.X:= 3] 

= {By wlp calculation} 

P A -i Q A y =>- true 
= {By logic} 
true 


Against Y. 1 we have: 

P A -iQ => wlp.(Y.l).(P V Q) 

= {Substituting value of F.l and by rcZp} 
PA-Q =► PVQ 
= {By logic} 
true 


Against Y.2 we have: 

P A -iQ =>- wlp.(Y.2).(P V Q) 

= {Substituting value of F.2 and by rcZp} 
i 3 A —iQ Ax =>• P VQ 
= {By logic} 
true 


Clause (1) of the immediate progress rule holds, as PA ->Q pc. A = 2. Finally, as we are 

dealing with a coarse-grained atomic statement, we refer to clause ( 2 a) which gives us: 

P A — <Q => wlp.(X.2).Q 
= {Substituting value of X.2 and by wlp} 

P A ~>Q A y =A Q[pc.A:= 3] 

= {By wlp calculation} 

P A -iQ A y =>- true 
= {By logic} 
true 

It is still required that pc.A = 2 A -iy pc. A = 3 be shown to complete the proof, which 
demands proof that a disabled component makes progress. Transitivity may be used so 
that the proof obligation is broken up into 

pc.X = 2 A -i y pc.X = 2 A y (4-2) 

pc.A = 2 A y pc. A = 3 (4.3) 

so that becoming enabled, and making progress is shown in two different steps. We will 
skip the proof of (TO) as it is similar to that of D, however point out the importance 
of our topology constraint in the proof of (foil . Imagine that there was a statement in 
component Y that makes y false. In our proof of pc.X = 2 A y un pc.X = 3, we would have 
a calculation of the following form: 
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pc.X = 2 A y A pc. X / 3 => wlp.(i: y:= false j: ).((pc.X = 2 A y) V pc.X = 3) 

= {By wlp calculation and logic} 
pc.X = 2 A y =4> pc.X = 3 
which is clearly not true. 

We now return to the proof of @ 21 ). Notice that component X is disabled, which gives 
us no choice but to consult component X. Hence, we have: 

pc.X = 2 A -■ y pc.X = 2 A y 

<= {By disjunction} 

(Vi :: pc.X = 2 A ->y A pc.X = i pc.X = 2 A y) 

This is now demanding that the execution of the rest of the program, i.e., component X, 
lead to a state which makes the guard at X.2 true. We now perform case analysis on 
pc.X e {1,2,3}. 

pc.X = 2 A -iy A pc.X = 1 pc.X = 2 Ay (4.4) 

pc.X = 2 A -iy A pc.X = 2 pc.X = 2 Ay (4.5) 

pc.X = 2 A -iy A pc.X = 3 pc.X = 2 Ay (4.6) 

For (14.41) . on account of XI not hampering progress, on account of being an assignment, 

and being orthogonal to pc.X = 2 A —>y, we opt for deferring the obligation to make y true, 
by delegating the task to X.2. @31 is therefore proved as follows: 
pc.X = 2 A -iy A pc.X = 1 
{Immediate progress with XI} 
pc.X = 2 A -iy A pc.X = 2 
{By (14.51) } 
pc.X = 2 Ay 

For (14.51) . since X.2 is a guarded skip, deadlock is avoided by requiring invariance of: 

pc.X = 2 A -ip A pc.X = 2 A -ix => false (4.7) 

We may simplify (EH as follows: 

pc.X = 2 A -iy A pc.X = 2 A ->a: => false 
= {By logic} 

pc.X = 2 =>■ pc.X / 2 V y V a; 

Since pc.X is local to X and because of the topological constraint on X, there is no choice 
but to introduce assignment y:= true at X.2 to give us: 


The Initialisation Protocol - refinement 1 

Pre: pc.X = pc.Y = 1 

Component X: 

Component Y: 

1: y:= false ; 

1 : x:= false ; 

4: x:= true ; 

4: y:= true ; 

2: (if y —► skip fi) 

{pc.X" /2Vi/Vi} 

3: 

2 : (if x —»■ skip fi) 

3: 


@ 21 ) is now proved as follows: 
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pc.X = 2 A -iy A pc.Y = 2 
{By (14.71) 1 

pc.X = 2 A -iy A pc.Y = 2 A a: 

{Immediate progress rule with Y. 2} 
pc.A" = 2 A -iy A pc.Y = 3 
{By (14.61) 1 
pc.X = 2 A y 

For (14.61) . we opt to add a second assignment y:= true at Y. 3 which gives us the following: 


The Initialisation Protocol - refinement 2 

Pre: pc.X = pc.Y = 1 

Component X: 

Component Y: 

1: y:= false; 

1: x:= false; 

4: x:= true ; 

4: y:= true; 

2 : (if y — ► skip fi); 

2 : (if x —► skip fi); 

3: x:= true 

3: y:= true 

5: 

5: 


But note that this derivation is typical in its interplay between proof and program 
development, and the new code at Y.4 and Y. 3 has extended the case analysis to cases 
pc.Y £ {1,2,3,4, 5}. Case pc.Y = 4 is again by progress rule, but case pc.Y = 5 is a 
different matter. Evidently, introducing an assignment is not an option here for reason of 
infinite regress, so we look to arrange invariance of: 

pc.Y = 5 =>■ y (4.8) 

We now perform calculation on dun which gives us: 
pc.X = 2 A ~<y A pc.Y = 5 
{By (14.81) 1 
false 

{Implication theorem} 
pc.X = 2 Ay 


The Initialisation Protocol - annotated for 
Pre: pc.X = pc.Y = 1 

progress 

Component X: 

Component Y: 

1: y:= false; 

1: 

x:= false; 

4: x:= true; 

4: 

y:= true; 

2 : (if y —> skip fi); 

2 : 

(if x —> skip fi); 

3: x:= true 

3: 

y:= true 

5: 

5: 



For GC of assertion y at Y. 5 we look to strengthen (TOT) with pc.X 1 

pc.Y = 5 => y A pc.X 1 
which induces the following annotation of Y: 


(4.9) 
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The Initialisation Protocol - correctly annotated 

Pre\ pc.X = pc.Y = 1 

Component X: 

Component Y: 

1 : y:= false ; 

1 : x:= false ; 

4: x:= true ; 

{x =)> pc.X / 1} 

2 : (if y skip fi); 

4: y:= true ; 

3: x:= true 

2 : (if x — ► skip fi); 

5: 

{pc.X + 1} 


3: y:= true 


{y}{pc.X 1} 

5: 


GC of pc.X 1 is for free because every action in X makes it true on account of X.l being 
the initial action of X. This concludes the derivation. 

The example is a nice one for two reasons. First, because the problem itself is quite 
delicate, as can be seen by reworking the design from the point at which it was decided 
to establish EH) by the transitivity rule rather than by introducing an assignment. The 
alternative path leads all the way to: 


Pre: pc.X = pc.Y = 1 

Component X: 

Component Y: 

6 : x:= true ; 

6 : 

y:= true ; 

1: y:= false ; 

1: 

x:= false ; 

4: x:= true ; 

4: 

y:= true ; 

2 : (if y —> skip fi); 

2 : 

(if x —► skip fi); 

3: x:= true 

3: 

y:= true 

5: 


{y}{? PC-X 1 } 


5: 



but now the derivation falls down on account of the (lack of) GC of pc.X 1 at Y.5. 

Second, while the derivation is marked by a complete absence of operational thinking, 
yet it was completely driven by progress concerns. This is just what we want to see in a 
problem like this where progress is of the essence. In this regard, it is instructive to compare 
it to the derivation in |FvG99j and to note there the authors closing remark that “we have 
to admit that, no matter how crisp the final solution turned out to be, its derivation seems 
to be driven by hope and a kind of opportunism.” (p212). In our view, this is not true in 
the present case, rather we see this derivation as a small step toward our larger goal of 
developing a method of program derivation in which progress requirements are given equal 
consideration with safety requirements. 

4.3. The guard conjunction lemma. The guard conjunction lemma ( [FvG99| . ppll 8 - 
120 ) describes a correct program transformation by justifying the replacement of a guarded 
skip with a (coarse-grained) conjunctive guard B/\C by a pair of (fine-grained) guarded skips 
with guards B and C, when B is GC in the component in which the guarded skip occurs. 
The lemma states that the transformation preserves the safety and progress properties of 
the original program, and it is noteworthy that the proof of the latter part is outside of 
the scope of the basic theory of Owicki and Gries (as presented in Section 12 . 21 ) . Thus, 
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we are told by Feijen and van Gasteren that the basic theory “is not suited for proving 
[progress]. Fortunately, Dr. J. Hooman proved it for us. He did so by considering the sets 
of all possible computations that can be evoked by the original and by the new system, 
respectively, and then showing that the two systems have the same properties as far as 
deadlock and individual progress are concerned. The proof is not for free and we are 
grateful to him for having designed it for us. ” (|E2SSg,Pll8). The purpose of this section 
is to show how the guard conjunction lemma can be proved in the extended theory of Owicki 
and Gries (as presented in Section ©. The lemma states 

Lemma (Guard Conjunction Lemma). For a globally correct B, guarded command 

i: { if B A C —♦ 5 fi ) j: 

may be replaced by 

i: ( if B —► skip fi ); k: ( if C —> S fi ) j: 
without impairing total correctness of the design, i.e. 

(i) impairing the correctness of the annotation of the program 

(ii) introducing total deadlock 

(iii) endangering individual progress, i.e., given any component X, and labels ii, jj, each 
proof of the form pc.X = ii pc.X = jj is preserved 

For the sake of completeness, we begin by reproducing the proof of (i). 

Proof. We prove (i) as follows using notation X C Y to mean “fragment X can be trans¬ 
formed to fragment Y without affecting safety”. 

i: ( if B A C —► S fi ) j: 

C {Adding a skip does not affect safety} 

v. ( if true —> skip fi ); k: ( if B A C —* S fi ) j: 

C {Strengthening the guard} 

i: ( if B —> skip fi ); k: ( if B A C —> S fi ) j: 

C {Introducing globally correct assertion B} 
i: ( if B —y skip fi ); {H} k: ( if B A C —> S fi ) j: 

E {Logic} 

i: ( if B -*■ skip fi ); {B} k: < if C -*■ S fi ) j: 

C {Weakening the annotation} 

i: ( if B —> skip fi ); k: ( if C —► S fi ) j: 

Part (ii) follows from (iii) when we interpret (iii) to mean that a program that contains the 
refined code has the same progress properties as the original program. In order to formalise 
(iii), we conceptualise two programs, one is the original program that consists of component 
A and all other components. The other is this program, but with A replaced by A', which 
is obtained from A by replacing the coarse-grained guarded skip by the pair of finer-grained 
statements. 

We will first show that individual progress holds in the modified component, then show 
that individual progress holds for any other component in the program. Hence, we first 
show that: 

(pc.A = i pc.A = j) (pc.A 1 = i pc.A 1 = j) 

Observe that when B is globally correct, as the two codes {H}(ifC— > 5 fi ) and ( if B A 
C —> S fi ) are equivalent, it is enough to prove that codes 

*: ( if B A C —*• S fi ) j: 
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and 

i: ( if B —► skip fi ); k: ( if B A C — >• S fi ) j: 

have the same progress properties. Start by assuming that A can pass its guarded statement, 
i.e., pc.A = i -w pc.A = j holds. By the immediate progress rule, this is only possible if the 
following equations hold: 

pc.A = i pc. A = i A B A C 

pc. A = i A B A C ~> pc.A = j 

We would thus like to show that the corresponding equations hold for component A' in the 
new program, i.e., prove that: 

pc.A' = i -w pc. A 1 = i A B A C (4-10) 

pc. A! = i A B A C pc. A' = j (4.11) 

In the new program, the only component that has changed is A, hence, the rest of the 
program will preserve the proofs of dump and unp. Component A' preserves the proof of 
flump as control remains at i, which completes the proof of dump . Now, A' is guaranteed 
to reach control point k because: 
pc. A 1 = i A B A C 

{Immediate progress rule, B is GC in A'} 
pc. A' = k A B A C 

Furthermore, pc.A’ = i pc.A! = k does not change the state of the rest of the program, 
because a guard evaluation action can only change the control state of the component in 
which the action occurs, which is A'. Hence, 

CS: When pc. A = i and pc.A' = k the rest of the program containing A is in 
the same state as the rest of the program containing A 1 . 
which gives us the following calculation: 
pc. A! = k A B A C 

{CS, pc.A = i A B A C pc.A = j} 
pc. A 1 = j 

This concludes the proof that A! is no less progressive than A. We now prove that the 
implication also holds the other way, that is 

pc.A' = i pc.A' = j => pc.A = i -w pc.A = j 

The above proof shows how A' (with pc.A' = k) can get ahead of A (with pc.A = i ) when 
-iC is true, but, of course, the action at A.k must wait for the rest of the program to make 
C true. Since pc.A' = lAC=i> pc.A' = k A B A C by the annotation of A', and by CS, the 
A.i guard is enabled whenever the A'.k guard is, which concludes the proof that A! is no 
more progressive than A. 

Now given any other component say Y ^ A, if the proof of pc.Y = ii pc.Y = jj 
depends on the proof of pc.A = i pc.A = j, then as pc.A' = i pc.A' = j holds whenever 
pc.A = i pc.A = j, the assertion pc.Y = ii pc.Y = jj continues to hold in the new 
program. If the proof does not depend on A, then as no modifications have been made to 
the rest of the program, again pc.Y = ii pc.Y = jj continues to hold. . 
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5. Conclusion 

In the context of sequential programs, Hoare IHoa691 showed how a sequential program 
could be verified without reference to its operational semantics. Then, in the context of 
concurrent programs, Owicki and Gries |OG76| showed how safety properties could be ver¬ 
ified by adding interference freedom conditions to Hoare’s logic, but leaving the underlying 
logic unchanged. Although this modification was small, the Owicki-Gries theory improved 
on the previously existing global invariant method of !Ash75l because it avoided a state 
explosion problem EE ea nu by decomposing a global invariant into a program annotation 
|Lam87| . In this paper we have developed this theory further and incorporated a theory of 
progress into the formalism. 

mm presents a proof system where the temporal operators □ and <0 have been 
incorporated into the Owicki-Gries formalism. One of the drawbacks of their system is that 
both conditional selection and blocking statements have not been described, and one must 
simulate these using the looping construct. The logic is also missing both ‘next’ and ‘unless’ 
making it less expressive than ours. Furthermore, keywords, ‘at’, ‘after’ and ‘in’ are used 
to describe the control state of the program, and temporal logic has been encoded directly 
(as opposed to axiomatically) into their logic. This has meant that the method needs to 
stay within the realms of logical reasoning, as opposed to algebraic calculation, which as 
[FvG99| has pointed out, is not suitable in the context of program derivation. 

Several event based models exist, such as |HM88l IBS551 ILT891 fSh^H ILam94j . but, 
as Lamport suggests, proofs in these models can easily be translated from one model to 
another, and the difference lies in the ease with which a given program can be formalised 
in a given model. If a target implementation is based on a concurrent sequential program 
model, then we see no reason why this implementation should be modelled in an event 
based one. We therefore see one advantage of our approach over these others in the way 
that it can support a more direct translation of a program design into code. 

The extended theory of Owicki and Gries includes a logic of progress, but it is up to us 
how to make use of it. Our ultimate aim is to integrate this logic into a method of program 
design (derivation) in the same kind of style as |Fv 2H. Early work in this direction is 
promising, and a more comprehensive example can be found in |GD05j . which presents a 
derivation of Dekker’s program for two process mutual exclusion. In a program verification, 
we do not have the freedom to change a program when a proof does not work out. We are 
left with the dilemma of not knowing whether the program or the proof is at fault. In this 
respect, deriving a program that satisfies a specification is certainly superior. IFvG99j have 
already shown how commonly occurring design patterns can be identified in both programs 
and their proofs, and how these patterns can be used to shorten proofs. We believe that 
patterns such as these will emerge with the extended theory as well. It is a case of realising 
when they do and noting them accordingly. 

We note that although leads-to is a widely accepted construct for reasoning about 
progress, it is not without deficiencies. For instance, while leads-to can always be used 
to express the proposition that P will eventually be true, by itself it can not express the 
proposition that P will be true in the next program state. Eh a93| hints at the possibility of 
using auxiliary variables to express the notion of next state. Whether greater expressivity of 
temporal logic can be achieved in the Owicki-Gries theory by combining auxiliary variables 
and leads-to is a topic of further research. 
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Appendix A: Derived rules of the logic of progress 

The logic of UNITY in ICM881 IMisOU is based on an inductive definition of a relation 
leads-to. Given this definition, a number of derived properties are proved. The purpose of 
this appendix is to confirm that these are also derived rules of our progress logic too. The 
Inductive Progress Rules in our definition of leads-to (in Section n are identical to those 
in |CM88| . only the Immediate Progress Rule is different, to take account of the different 
programming models. Therefore, in what follows the proof of a derived rule will assume 
that a use of leads-to always results from a use of the Immediate Progress Rule. 

Theorem (Implication Theorem). (P =4* Q) => (P Q ) 

Proof. First note that, for any R, (P => Q) =>■ ((P A -iQ) => R ). It follows that the three 
premisses of the Immediate Progress Rule are true on account of this equation, because 

(1) P un Q 

= {By definition, for any atomic statement {£/} S} 

P A-iQ RU =>• wlp.S.(P V Q) 

(2) P A —>Q =>■ pc = i 

(3) Any atomic statement can be chosen on account of PA —>Q = false when assuming 

P =Y Q. □ 

Theorem (Impossibility Theorem). (P false ) =>■ —>P 

Proof. First note that, for any S, wlp.S.false = false. We look at the three forms of 
atomic statement that occur in premiss (3) of the Immediate Progress Rule. 

(1) If (P false ) because of a skip , assignment statement, or coarse-grained atomic 

statement i: S j: then 

P wlp.S.false 
= {By wlp and logic} 

—i P 

(2) If (P false ) because of an IF statement of the form 

v. if B\ —> j: S\\\B 2 —> k: S -2 fi /: 

then 

(P A Pi =>- false ) A (P A P 2 => false ) 

= {By logic} 

( — TV - 1 Pi) A (—'P V — 'B 2 ) 

= {By logic} 

~>P V (“ 1 B\ A “ 1 B 2 ) 

=R {By premiss (3bi), P Pi V P 2 } 

— 1 P 

(3) If (P false ) because of a DO statement of the form 

i: do B —> j: S od 

then 

(PAB A false ) A (P A —*B =R false ) 

= {By logic} 

(nPVnB) A (nPVB) 

= {By logic} 

^P V (nBAB) 

= {By logic} 

^P 


□ 
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Theorem (Disjunction Theorem). 

(Vm :m € W: P.m Q.m ) => ((3m :m £ W: P.m) (3m :m £ W: Q.m )) 

Proof. As in ICM88) . □ 

Theorem (Cancellation Theorem). 

(P^QVD)A(D'wfl) =» (P->QVP) 

Proof. As in jCM88j . □ 

Theorem (PSP Theorem). 

(P -^> Q) A (R un D) =>- (PAP~> (Q A R) V D) 

Proof. We assume the antecedent and show that, for the consequent, the three premisses of 
the Immediate Progress Rule are true. The proof uses two equations 

RA^QA—'D = R A —f(Q A R) V D) (5-1) 

QA(RVD) => (Q A R)\/ D (5.2) 

(1) (P -w Q) A (R un D) 

=5- {By Immediate Progress Rule} 

(P un Q) A (R un D) 

= {By dehnition of un, for any atomic statement {U} 5} 

(PA-iQAl/^ wlp.S.(P V Q)) A (R A ~^D AU => wlp.S.(R V D)) 

=> {By logic and conjunctivity of wlp} 

P A^Q ARA^D AU =► wlp.S.((PVQ)A(RVD)) 

= {By logic} 

P A^Q ARA^D AU => wlp.S.((P A R) V (Q A P) V (P A D) V (Q A D)) 

=A {As (PAD) V (Q AD) =s> D} 

P A^Q ARA^D AU ^ wlp.S.((P AP)V(QAR)VP) 

= {By (ED} 

PARA->((QAR)VD)AU =► wlp.S.({P AR) V (Q AR) VP) 

= {By dehnition of un} 

PAR un (Q A R) V P 

(2) For any statement v. S j: 

{P Q) A R un D 
=>- {By Immediate Progress and logic} 

P A -iQ =5- pc = i 
=A {By logic} 

P A R A ~<((Q A R) V D) ^ pc = i 

(3) (a) If (P Q) because of a skip , assignment statement, or coarse-grained atomic 

statement i: 5 j: then 
(P Q) A (R. un D) 

=>- {By dehnition of un and ~^} 

(P A~>Q =$-wlp.(i: S j:).Q) A (R A ->D =>■ wlp.{i\ S j: ).(P V I?)) 

=>■ {By logic} 

.P A —iQ A R A —>D =>• wlp.(i: S j: ).(Q A (P V D)) 

=>■ {By (15.ip . (15.211 and nronotonicity of wlp} 

PAR A~>((Q AR) VD) => wlp.(i:S j:).((Q AR)VD) 
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(b) If (P Q) because of an IF statement of the form 

i: if B\ —> j: S 1 QP 2 —> k: S 2 fi l- 
For premiss (3bi) 

P^Q 

=> {By definition} 

P A —<Q =4> B\ V B 2 
=4* {By logic} 

P A R A —>((Q A R ) V D) =>- Pi V B 2 
and for premiss (3bii) 

(P -w Q) A (P un F>) 

=>■ {By definition} 

(P A — D A B\ =>• (P V P)[pc:= j]) A (P A —'P A P 2 (P V P)[pc:= fc]) A 
(P A -i<5 A Pi => Q[pc:= j]) A (P A -iQ A P 2 =>■ Q[pc: = A;]) 

=>■ {By logic} 

(P A —iQ A P A —'P A Pi =>■ (Q A (P V P))[pc:= /]) A 
(P A —>Q A P A —'P A P 2 =>■ (Q A (P V P))[pc:= A:]) 

=* {% (EH) and EH)} 

(P A P A -i((Q A P) V P) A Pi ((Q AP) VP)[pc:= j]) A 
(PARA -.((Q A P) V P) A P 2 => ((Q A P) V P)[pc:= fc]) 

(c) The case where (P Q) because of a DO statement is similar to case (b). □ 

Theorem (Induction Theorem). Let M be a total function from program states to set 
W. Let (IF, <) be well-founded. Variable m in the following premiss ranges over IF and 
predicates P and Q do not contain free occurrences of variable m. 

(Vm :: P A M = m 'W ( P A M <C 777/) V (^) (.P Q) 

Proof. As in |CM88j . □ 

Theorem (Completion Theorem). Let P.i and Q.i be predicates where i ranges over a 
finite set. 

(Vi :: ( P.i Q.i V P) A (Q.i un P)) =» ((Vi :: P.i) (Vi :: Q.i) V P) 

Proof. As in |CM88| . □ 
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